REST Security implementation for REST Gateway
This security framework integrates with Flask-RESTful to secure REST services.
Generally, a userstore is simply a class that enables loading of user details and returns them as a user object.
Typically (but not always) user details are stored as records in a database or objects in a directory. Each user can
be identified by a unique attribute, such as a username or id, or by a unique combination of attributes.
In order to authenticate a user (for example by a set of username and password) it might be required to load the user's
details and verify the given credentials indeed match.
To support a variety of user-store systems and configurations Cloudify security framework can accept different
userstore implementations. It's possible to use the default Flask-secuREST simple userstore or to specify a new
implementation that supports a specific userstore system.
An Authentication Provider is a class that performs authentication. Multiple authentication providers can be configured
in order to support multiple authentication methods (e.g. password, token, Kerberos).
When a REST call is received by the REST service, the security framework will attempt to authenticate it using the
configured authentication providers. If the first authenticator fails the second one will be attempted, and so on.
The authentication provider has access to the userstore instance (if configured) and can use it to get user details and
use them to perform authentication.
For example, it can compare the given password to the one found on the userstore or verify the user is still active
(in many environments users are marked as "inactive", instead of deleting the account entirely).
Once an authenticator can successfully authenticate the request's user - it should return the user object and allow the request to be completed. Other authenticators will not be called until the next request is processed. If none of the authenticators can successfully authenticate the request - the request does not reach its endpoint and the client receives an "Unauthorized User" error.
Note:
We mentioned Token as an authentication method.
But in order to send a token with each request, the user must first receive a token.
Tokens can be generated by many systems,
and they will work as long as the token can be processed by one of the
registered authentication providers.
A valid userstore implementation can be any Python class that inherits from AbstractUserstore and implements:
- get_user() - returns a relevant user from the userstore. If a matching user is not found, returns None.
The object returned byget_usermust adhere to Flask-secuREST's User Model.
An example for a userstore class based on LDAP - LDAPUserStore.
A valid authentication provider implementation can be any Python class that inherits from
AbstractAuthenticationProvider and implements an authenticate method.
An example for authentication provider based on password authentication - PasswordAuthenticator